I'll check again tomorrow, and also let the secteam in on this bug
On Tue, Sep 4, 2018, 18:40 Andreas Hasenack <email address hidden> wrote:
> Are you sure you are in ubuntu 14.04.5? Trusty's latest apache2 is
> 2.4.7-1ubuntu4.20
>
> I assume you meant xenial, which does have 2.4.18-2ubuntu3.8 in security
> but has 3.9 in updates.
>
> 3.8 has security fixes around "nonce generation":
>
> * SECURITY UPDATE: insecure nonce generation
> - debian/patches/CVE-2018-1312.patch: actually use the secret when
> generating nonces in modules/aaa/mod_auth_digest.c.
> - CVE-2018-1312
>
>
> ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1312
>
> --
> You received this bug notification because you are a member of Ubuntu
> Server, which is subscribed to apache2 in Ubuntu.
> https://bugs.launchpad.net/bugs/1790430
>
> Title:
> None issues with auth_digest when running behind an reverse proxy
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1790430/+subscriptions
>
> --
> Ubuntu-server-bugs mailing list
> <email address hidden>
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
>
I'll check again tomorrow, and also let the secteam in on this bug
On Tue, Sep 4, 2018, 18:40 Andreas Hasenack <email address hidden> wrote:
> Are you sure you are in ubuntu 14.04.5? Trusty's latest apache2 is patches/ CVE-2018- 1312.patch: actually use the secret when aaa/mod_ auth_digest. c. /cve.mitre. org/cgi- bin/cvename. cgi?name= 2018-1312 /bugs.launchpad .net/bugs/ 1790430 /bugs.launchpad .net/ubuntu/ +source/ apache2/ +bug/1790430/ +subscriptions /lists. ubuntu. com/mailman/ listinfo/ ubuntu- server- bugs
> 2.4.7-1ubuntu4.20
>
> I assume you meant xenial, which does have 2.4.18-2ubuntu3.8 in security
> but has 3.9 in updates.
>
> 3.8 has security fixes around "nonce generation":
>
> * SECURITY UPDATE: insecure nonce generation
> - debian/
> generating nonces in modules/
> - CVE-2018-1312
>
>
> ** CVE added: https:/
>
> --
> You received this bug notification because you are a member of Ubuntu
> Server, which is subscribed to apache2 in Ubuntu.
> https:/
>
> Title:
> None issues with auth_digest when running behind an reverse proxy
>
> To manage notifications about this bug go to:
>
> https:/
>
> --
> Ubuntu-server-bugs mailing list
> <email address hidden>
> Modify settings or unsubscribe at:
> https:/
>